How the state parameter in an OAuth2 request would prevent an attacker from sending malicious requests with OAuth2

277 viewsOtherTechnology

I’m confused on how an attacker would be able to send requests on an authenticated OAuth2 application; how would the attacker even send the request in the first place if they don’t have the access key?

In: Technology

2 Answers

Anonymous 0 Comments

OAUTH works with a Security Token Service.

A real world example is a large company with multiple offices. The security team gives an employee an ID that has a magic signature that can’t be faked.

The employee can then go to any office in the company, show the ID, and the security guard can verify that the ID hasn’t been tampered with because of the signature.

Because the Security guard at the location can verify the signature from the central security department, the local guard can just let the employee by without checking with central security.

If someone could fake the magic signature, then they would get past the local security guard.

For OAUTH, the signature is a cryptographic hash signature of the rest of the token. The hash would change if the token was modified by someone that doesn’t have the certificate the Security Token Service used to sign the certificate.

By using a hash such as ES-256 which doesn’t have a collision vulnerability (yet) the only way to fake the signature is to steal the signing certificate.

The State is used in the OAUTH flow which is far beyond an ELI5 post but doesn’t have anything to do with the token creation or verification.

You are viewing 1 out of 2 answers, click here to view all answers.